Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
Offer ZI-0428.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Offer ZI-0428.rtf
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Offer ZI-0428.rtf
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Offer ZI-0428.rtf
Resource
win11-20240508-en
General
-
Target
Offer ZI-0428.rtf
-
Size
293KB
-
MD5
dde9d7d091ac0cc1d35515d259d8ca6f
-
SHA1
c6e943143771fc3fd7c2c548f5fddcd6013d9302
-
SHA256
95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
-
SHA512
04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
-
SSDEEP
6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4
Malware Config
Extracted
remcos
sPITTT
antfly50.sytes.net:1980
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BW3KDF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2960-86-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2468-81-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-81-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/2960-86-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral1/memory/1132-91-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2640 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2892 powershell.exe 2532 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
plugman23456.scrplugman23456.scrplugman23456.scrplugman23456.scrplugman23456.scrplugman23456.scrpid process 1760 plugman23456.scr 2804 plugman23456.scr 2468 plugman23456.scr 2384 plugman23456.scr 2960 plugman23456.scr 1132 plugman23456.scr -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 2640 EQNEDT32.EXE 2640 EQNEDT32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
plugman23456.scrdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts plugman23456.scr -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
plugman23456.scrplugman23456.scrdescription pid process target process PID 1760 set thread context of 2804 1760 plugman23456.scr plugman23456.scr PID 2804 set thread context of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 set thread context of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 set thread context of 1132 2804 plugman23456.scr plugman23456.scr -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2248 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
plugman23456.scrpowershell.exepowershell.exeplugman23456.scrpid process 1760 plugman23456.scr 1760 plugman23456.scr 2892 powershell.exe 2532 powershell.exe 2468 plugman23456.scr 2468 plugman23456.scr -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
plugman23456.scrpid process 2804 plugman23456.scr 2804 plugman23456.scr 2804 plugman23456.scr 2804 plugman23456.scr -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
plugman23456.scrpowershell.exepowershell.exeplugman23456.scrdescription pid process Token: SeDebugPrivilege 1760 plugman23456.scr Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 1132 plugman23456.scr -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEplugman23456.scrpid process 2248 WINWORD.EXE 2248 WINWORD.EXE 2804 plugman23456.scr -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEplugman23456.scrplugman23456.scrdescription pid process target process PID 2640 wrote to memory of 1760 2640 EQNEDT32.EXE plugman23456.scr PID 2640 wrote to memory of 1760 2640 EQNEDT32.EXE plugman23456.scr PID 2640 wrote to memory of 1760 2640 EQNEDT32.EXE plugman23456.scr PID 2640 wrote to memory of 1760 2640 EQNEDT32.EXE plugman23456.scr PID 2248 wrote to memory of 1228 2248 WINWORD.EXE splwow64.exe PID 2248 wrote to memory of 1228 2248 WINWORD.EXE splwow64.exe PID 2248 wrote to memory of 1228 2248 WINWORD.EXE splwow64.exe PID 2248 wrote to memory of 1228 2248 WINWORD.EXE splwow64.exe PID 1760 wrote to memory of 2892 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2892 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2892 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2892 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2532 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2532 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2532 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 2532 1760 plugman23456.scr powershell.exe PID 1760 wrote to memory of 1704 1760 plugman23456.scr schtasks.exe PID 1760 wrote to memory of 1704 1760 plugman23456.scr schtasks.exe PID 1760 wrote to memory of 1704 1760 plugman23456.scr schtasks.exe PID 1760 wrote to memory of 1704 1760 plugman23456.scr schtasks.exe PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 1760 wrote to memory of 2804 1760 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2468 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2384 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2384 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2384 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2384 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 2960 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 1132 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 1132 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 1132 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 1132 2804 plugman23456.scr plugman23456.scr PID 2804 wrote to memory of 1132 2804 plugman23456.scr plugman23456.scr
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Offer ZI-0428.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\plugman23456.scr"C:\Users\Admin\AppData\Roaming\plugman23456.scr"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\plugman23456.scr"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\znlzneAxBVd.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\plugman23456.scr"C:\Users\Admin\AppData\Roaming\plugman23456.scr"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\plugman23456.scrC:\Users\Admin\AppData\Roaming\plugman23456.scr /stext "C:\Users\Admin\AppData\Local\Temp\mmsxkdzyjkunigwpzxgnouyjxeomy"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\plugman23456.scrC:\Users\Admin\AppData\Roaming\plugman23456.scr /stext "C:\Users\Admin\AppData\Local\Temp\whxpkvksxsmstmsbjisorhtaylyvrfcn"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\plugman23456.scrC:\Users\Admin\AppData\Roaming\plugman23456.scr /stext "C:\Users\Admin\AppData\Local\Temp\whxpkvksxsmstmsbjisorhtaylyvrfcn"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\plugman23456.scrC:\Users\Admin\AppData\Roaming\plugman23456.scr /stext "C:\Users\Admin\AppData\Local\Temp\zbka"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
224B
MD5e774ca36bac2ad5f2bfe08b73916dd02
SHA13926e73ddec251853463ca6f8dae5c81c3925261
SHA256889c16ccef184d9c154fcb081e210ff385331f7bf3ec912fea12dc821c83fda6
SHA512e9fd5458cec5e5a90bd508d51ecebfb3b1a8dec664005d81f4c3e0552572ab4ccd5987187adbcf61155eb72be127fd4f060ff6de19a0eeb217d5419b563e4d5b
-
C:\Users\Admin\AppData\Local\Temp\mmsxkdzyjkunigwpzxgnouyjxeomyFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\tmpA44B.tmpFilesize
1KB
MD5e1a025581e1c3c58a729c09b0f8a8497
SHA11e136d28cab0643da8d45042db400ff399ce5747
SHA256b5360f925c84b1f8da923f04a4140a8b63e1c512cadc3273f3eb4bd294f60b02
SHA5129f895c236a3a70032e19eba17b894ae44d7ba221ba0219f5341452ba88c5b06295023c831c3a38cef662572547564beb9b09ef4739041d3e9d689644e375ba83
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD507b6475fc506b60aff30028dffeb8523
SHA1952e24c6e2b7707226a8c32c507a615c3f9e6244
SHA256285747ac7ea369c28731968accbf780875e1a11b36be63f44eee7bd07e39bf66
SHA5120ad74fd32b6323f98cc3a1b6149c42e3a102e367b8b9b791d42242da0808be44b2c8d4a80f15501a87a5ac374f33bdad566bad6a37a9e3c5a8319deef9f91ad8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD54c7e78fe68f89cb8986884c27fcd109e
SHA171c3ddc1ba3d3863f83306c7556839522fd10744
SHA2569720077d5279e938a635ebf2559143432f12e82a0f7c6b00d5bfe9e1e1e32d80
SHA5128ee960b3adaa025769ac34cbb717cd784ad29718d961b0600db1bc8b4388acd28f360404404a3e413ad2440686045d4397f33ced60a35c0dbd62a81a47a9256f
-
\Users\Admin\AppData\Roaming\plugman23456.scrFilesize
1.1MB
MD528f77c9af8cb3ea886714bbfc8326635
SHA1f6f02b22cd5a272c71a5afa66efd3b237fe4f24f
SHA256f251fe71103ef7bc4cbdbcfe9c1d7c4a595f831e51cf4064f2bfa595f47bda35
SHA51203508e0f3f68696f4f7b64aa737d40e8bd24b69ea7860a8fabee997d238454929605fe5b1ea0880af14cf3a89763d46e1fdeb9a526700d570b0d672330b5f82d
-
memory/1132-91-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1132-88-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1132-90-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1760-17-0x000000006B97E000-0x000000006B97F000-memory.dmpFilesize
4KB
-
memory/1760-19-0x00000000010D0000-0x00000000011E8000-memory.dmpFilesize
1.1MB
-
memory/1760-24-0x0000000000B00000-0x0000000000B10000-memory.dmpFilesize
64KB
-
memory/1760-26-0x0000000000D80000-0x0000000000D8C000-memory.dmpFilesize
48KB
-
memory/1760-27-0x0000000004CF0000-0x0000000004DB0000-memory.dmpFilesize
768KB
-
memory/2248-141-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2248-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2248-0-0x000000002F2D1000-0x000000002F2D2000-memory.dmpFilesize
4KB
-
memory/2248-2-0x000000007186D000-0x0000000071878000-memory.dmpFilesize
44KB
-
memory/2248-72-0x000000007186D000-0x0000000071878000-memory.dmpFilesize
44KB
-
memory/2468-80-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2468-81-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2468-77-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2804-59-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-54-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-63-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-65-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-66-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-67-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-68-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-70-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-48-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-74-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-73-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-52-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-44-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-153-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-46-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-64-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-154-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-146-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-145-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-42-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2804-57-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-98-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/2804-102-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/2804-101-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/2804-103-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-60-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-108-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-109-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-117-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-116-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-50-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2804-40-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/2960-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2960-85-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2960-86-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/2960-83-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB